AWS Event Tracking

As more and more services move to the cloud, security professionals must become more vigilant at monitoring usage and tracking access.  SecurityCenter Continuous View (CV) users have a new tool in their arsenal: the LCE Web Query Client. The new LCE Web Query Client can monitor AWS cloud services, and this dashboard assembles the data in a fashion that is easy to read and understand.

The LCE Web Query Client is used to request event data from RESTful web services. The logs returned from queries are stored and normalized in LCE, allowing the information to be searchable in SecurityCenter CV. The process to configure the LCE Web Query Client begins with supplying API configuration details to the agent for the AWS services.  The agent is then directed to send logs to LCE.  The resulting events have the prefix of “AWS.”

The AWS events provide notification of user access events, account changes, new instances, policy changes, and other settings.  The organization can track the IP address where the user connected from, whether the credentials were valid or not, and monitor for new virtual machine instances being created.  This information allows the organization to understand the usage of AWS and monitor for unauthorized access.

The dashboard is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Monitoring. The report requirements are:

• SecurityCenter 5.2.0
• LCE 4.6.1
• LCE Web Query Client

Tenable covers all types of users and services, regardless of location, providing continuous monitoring for the new IT landscape. SecurityCenter Continuous View (CV) allows for the most comprehensive and integrated view of network health. Log Correlation Engine (LCE) provides tight integration with SIEMs, log management tools, malware defenses, the PVS network sensor, NetFlow, BYOD, firewalls, web, authentication systems and cloud services. LCE also provides deep event inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities.

Components

AWS Events - Event Categories: This matrix provides indicators for each of the AWS event categories monitored. The LCE Web Query Client has the ability to detect three events using the RESTful web services.  Each cell in the indicator uses a saved query for each category.  These queries can allow for easier monitoring of different events.  If the indicator turns purple, then matching logs are detected.

AWS Events - Identity and Access Management Events: This matrix extracts the identity and access management events into 12 indicators for easy monitoring.  The LCE Web Query Client has the ability to detect three events using the RESTful web services.  Each cell in the indicator uses a saved query for different events related to user login, policy changes, new users, and other related events.  Monitoring these events can be useful when monitoring for unauthorized account creation or other events.  If the indicator turns purple, then matching logs are detected.

AWS Events - Instance Events Summary: This table provides a list of most recent normalized events related to AWS instances.  The table helps the organization monitor for changes of status to VM instances and new detected systems.  The table provides the Normalized event, count of events, and a trend line showing when events have occurred.

AWS Events - Accessed From: This table provides the source IP address extracted from the AWS events.  The table is sorted based on event count and displays the source IP address, LCE reporting the event, and number of events detected.  The IP addresses on the list should remain relatively the same; when new or uncommon IP addresses appear on the list, their events should be reviewed to determine whether or not they are authorized.

AWS Events - User Summary: This table provides a list of user accounts that have logged into AWS.  LCE has the ability to extract usernames and provide a brief history of events for each.  The table shows the user, event count, and a trend chart.  If the users are marked as unknown, there could be an issue parsing the username from the logs.  Check the “Valid Username Characters” setting in the LCE configuration and increase the value if needed.